So there’s been a big security flaw in Apple’s macOS that the company fixed in 24 hours. I rarely cover security issues because where do you draw the line, right? Anyhow, the manner of disclosure of this specific flaw is drawing some ire.
Obviously, this isn’t great, and the manner of disclosure didn’t help much either. Usually it’s advisable to disclose these vulnerabilities privately to the vendor, so that it can patch any holes before malicious parties attempt to use them for their own gains. But that ship has sailed.
I’ve never quite understood this concept of “responsible disclosure”, where you give a multi-billion dollar company a few months to fix a severe security flaw before you go public. First, unless you’re on that company’s payroll, you have zero legal or moral responsibility to help that company protect its products or good name. Second, if the software I’m using has a severe security flaw, I’d rather very damn well please would like to know so I can do whatever I can to temporarily fix the issue, stop using the software, or take other mitigating steps.
I readily admit I’m not hugely experienced with this particular aspect of the technology sector, so I’m open to arguments to the contrary.
The argument is that you are placing the users of that companies products (presumably innocent bystanders in all this) at increased risk by indirectly aiding malicious parties in attacking them.
To me, the weight of this argument largely depends on how cynical you are about how far ahead/behind the security community and the companies making these products are compared with the malicious parties.
Although in this case, given the extreme ease of the attack, I think that it doesn’t matter.
Edited 2017-11-29 23:54 UTC